After optimising our DataPortal.Create statements to ProxyModes.LocalOnly where appropriate, we encountered the following:
We had to explicitely add the Permission check to get the same behaviour from the Remote DataPortal, which throws an exception. Without explicitely checking for authorisation, we ended up with a created object who was not saveable.
Is this an oversight from my part somewhere, as it would not seem logical to me.
Rgds
public static void CreateRoot(EventHandler<DataPortalResult<SeverityEdit
>> callback)
{
// Explicitly Add Authorisation Check
if (!Csla.Rules.BusinessRules.HasPermission(Csla.Rules.AuthorizationActions.CreateObject, typeof(SeverityEdit
)))
throw new System.Security.SecurityException("UserNotAuthorizedException/" + Csla.Rules.AuthorizationActions.CreateObject.ToString() + "/" + typeof(SeverityEdit
).Name);
//
DataPortal.BeginCreate<SeverityEdit>(callback, DataPortal.ProxyModes
.LocalOnly);
//
//
//DataPortal.BeginCreate<SeverityEdit>(callback, DataPortal.ProxyModes.Auto); // Via the Server Side DataPortal, authorisation is automatic
}
public static void
AddObjectAuthorizationRules()
{
BusinessRules.AddRule(typeof(SeverityEdit), new IsInRole(AuthorizationActions
.CreateObject,
Constants
.ROLE_Developer));
}
You are saying that the local data portal in Silverlight doesn't automatically check the per-type authorization rules?
Yes,
It is possible to create an object via the local dataportal. It isn't saveable, but the behaviour is inconsistent with that of the remote dataportal wich raises an exception.
OK, I'll add this to the bug list. Thank you!
Copyright (c) Marimer LLC